safety function: emergency stop products: guardlogix...
TRANSCRIPT
Safety Function: Emergency Stop Products: GuardLogix® Series Connection of E-stops
Safety Rating: PLd, Cat. 3 to EN ISO 13849.1 2008
Table of Contents
Introduction 3
Important User Information 3
Safety Function Realization 4
General Safety Information 5
Setup and Wiring 7
Configuration 8
Calculation of the Performance Level 16
Verification and Validation Plan 18
Additional Resources 21
3
IntroductionThis Safety Function application note explains how to wire, configure, and program a Compact GuardLogix® controller and POINT Guard I/O™ module to monitor a series of dual-channel safety E-stop devices. If any of the E-stops is actuated or a fault is detected in the monitoring circuit, the GuardLogix controller de-energizes the final control device, in this case, a redundant pair of 100S contactors.
This example uses a Compact GuardLogix controller, but is applicable to any GuardLogix controller.
Important User InformationSolid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelines for the Application, Installation and Maintenance of Solid State Controls (publication SGI-1.1 available from your local Rockwell Automation® sales office or online at http://www.rockwellautomation.com/literature) describes some important differences between solid state equipment and hard-wired electromechanical devices. Because of this difference, and also because of the wide variety of uses for solid state equipment, all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.
4
Safety Function Realization: Risk AssessmentThe required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of the machine. For the purposes of this document the assumed required performance level is Category 3, PLd.
Emergency Stop Safety FunctionEmergency stop by actuation of an emergency stop push button.
Safety Function RequirementsPressing of any one of the series wired E-Stops will stop and prevent hazardous motion by removal of power to the motor. Upon resetting the E-Stop pushbutton, hazardous motion and power to the motor will not resume until a secondary action (start button depressed) occurs. Faults at the E-Stop button, wiring terminals or safety controller will be detected before the next safety demand. This Emergency Stop function is complementary to any other safeguards on the machine and shall not reduce the performance of other safety related functions. The safety function in this example is capable of connecting and interrupting power to motors rated up to 9A, 600VAC.
The safety function will meet the requirements for Category 3, Performance Level “d” (Cat 3, PLd), per ISO 13849-1, and SIL3 per IEC 62061, and control reliable operation per ANSI B11.19.
5
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
General Safety InformationContact Rockwell Automation to find out more about our safety risk assessment services.
6
Functional Safety DescriptionHazardous motion is interrupted or prevented by actuation of any emergency stop pushbutton (ES1, ES2 or ES3). Each E-Stop is considered a separate safety function. The E-stop pushbuttons are connected in series to a pair of safety inputs of a Safety Input module (SI1). The safety contactors (K1 & K2) are connected to a pair of safety outputs of a Safety Output module (SO1). The I/O modules are connected via CIP Safety over an EtherNet/IP network to the Safety Controller (SC1). The safety code in SC1 monitors the status of the E-Stop pushbuttons using a pre-certified safety instruction named Dual Channel Input Stop (DCS). When all conditions are satisfied, no faults are detected on the input modules, and the reset push button is pressed, a second certified function block called Configurable Redundant Output (CROUT) checks the status of the final control devices, a pair of 100S redundant contactors. The controller then issues an output signal to the safety output module (SO1) to switch ON a pair of outputs to energize the safety contactors.
Bill of MaterialThis application example uses these components.
Catalog Number Description Quantity
800FM-MT34MX02800F Non-illuminated Mushroom Operators, Twist To Release, 30 mm, Round Metal, Red, Metal Latch Mount, 2 N.C. Contact(S)
3
800FM-G611MX10800F Reset Push Button - Metal, Guarded, Blue, R, Metal Latch Mount, 1 N.O. Contact(S), Standard
1
100S-C09ZJ23C Bulletin 100S-C - Safety Contactors 2
1768-ENBT CompactLogix™ EtherNet/IP Bridge Module 1
1768-L43SCompact GuardLogix Processor, 2.0 MB standard memory, 0.5 MB safety memory
1
1768-PA3 Power Supply, 120/240 VAC Input, 3.5 A @ 24V DC 1
1769-ECR Right End Cap/Terminator 1
1734-AENT 24V DC Ethernet Adapter 1
1734-TB Module Base with Removable IEC Screw Terminals 4
1734-IB8S POINT Guard Safety Input Module 1
1734-OB8S POINT Guard Safety Output Module 1
1783-US05T Stratix 2000™ Unmanaged Ethernet Switch 1
7
Setup and WiringFor detailed information on installing and wiring, refer to the product manuals listed in the Additional Resources.
System OverviewThe 1734-IB8S input module monitors the inputs from the E-stops, which are connected in series. This method conserves the number of inputs that are used, but reduces the granularity of system diagnostics. Typically E-stops are not operated as often as a safety gate, for example; therefore the need to connect each E-stop contact into its own dedicated input is reduced.
An E-stop is considered to be a complementary safety device.
EN 12100-2 5.5.1 provides details on complementary protective measures. These are measures which are neither inherently safe design nor safeguarding, but are required due to intended use or reasonably foreseeable misuse of the machine. The circuit is tested by using test pulses (T0 and T1) on the inputs, I0 and I1. These test pulses source the 24V DC for the circuit. By periodically dropping the 24V DC to OV DC, it is possible to detect cross-channel faults and shorts to an external 24V DC. Shorts to 0V DC will be seen as an open circuit by the input and will be detected by either the hardware, if configured to detect discrepancy errors, or by the appropriate safety function block in the application code.
The final control device in this case is a pair of 100S safety contactors, K1 and K2. The contactors are controlled by a 1734-OBS safety output module. These are wired in a redundant configuration and are tested on start up for faults. The start-up test is accomplished by using a CROUT instruction to monitor the feedback circuit into input 7 (I7) before the contactors are energized. The system is reset by means of the momentary push button, PB1.
Electrical Schematic
8
ConfigurationThe Compact GuardLogix controller is configured by using RSLogix™ 5000 software, version 17 or later. You must create a new project and add the I/O modules. Then, configure the I/O modules for the correct input and output types. A detailed description of each step is beyond the scope of this document. Knowledge of the RSLogix programming environment is assumed.
Configure the Controller and Add I/O ModulesFollow these steps.
1. In RSLogix 5000 software, create a new project.
2. In the Controller Organizer, add the 1768-ENBT module to the 1768 Bus.
9
3. Select the 1768-ENBT module and click OK.
4. Name the module, type its IP address, and click OK. We used 192.168.1.8 for this application example. Yours may be different.
5. Add the 1734-AENT adapter by right-clicking the 1768-ENBT module in the Controller Organizer and choosing New Module.
10
6. Select the 1734-AENT adapter and click OK.
7. Name the module, type its IP address, and click OK. We used 192.168.1.11 for this application example. Yours may be different.
8. Click Change.
11
9. Set the Chassis Size as 3 for the 1734-AENT adapter and click OK.
Chassis size is the number of modules that will be inserted in the chassis. The 1734-AENT adapter is considered to be in slot 0, so for one input and one output module, the chassis size is 3.
10. In the Controller Organizer, right-click the 1734-AENT adapter and choose New Module.
12
11. Expand Safety, select the 1734-IB8S module, and click OK.
12. In the New Module dialog box, name the device ‘CellGuard_1’ and click Change.
13. When the Module Definition dialog box opens, change the Input Status to Combined Status-Power, and click OK.
14. Close the Module Properties dialog box by clicking OK.
15. Repeat steps 10-14 to add the 1734-OB8S safety output module.
13
14
Configure the I/O ModulesFollow these steps to configure the POINT Guard I/O modules.
1. In the Controller Organizer, right-click the 1734-IB8S module and choose Properties.
2. Click Input Configuration and configure the module as shown.
3. Click Test Output and configure the module as shown.
4. Click OK.
5. In the Controller Organizer, right-click the 1734-OB8S module and choose Properties.
6. Click Output Configuration and configure the module as shown.
7. Click OK.
15
ProgrammingThe Dual Channel Input Stop (DCS) instruction monitors dual-input safety devices whose main function is to stop a machine safely, for example, an E-stop, light curtain, or safety gate. This instruction can only energize Output 1 when both safety inputs, Channel A and Channel B, are in the active state as determined by the Input Type parameter, and the correct reset actions are carried out. The DCS instruction monitors dual-input channels for consistency (Equivalent – Active High) and detects and traps faults when the inconsistency is detected for longer than the configured Discrepancy Time (ms).
The Configurable Redundant Output (CROUT) instruction controls and monitors redundant outputs. The reaction time for output feedback is configurable. The instruction supports positive and negative feedback signals.
The safety application code in the safety output routine prevents outputs from restarting if the input channel resets automatically, providing anti-tiedown functionality for the Circuit Reset.
The Input OK status is used as a permissive in the safety output routines.
16
Falling Edge ResetISO 13849-1 stipulates that instruction reset functions must occur on falling edge signals. To comply with this requirement, add a One Shot Falling instruction to the rung immediately preceding the Cmd_Zone1_OutputEnable rung, Then use the OSF instruction Output Bit tag as the reset bit for the following rung. The Cmd_Zone1_OutputEnable is then used to Enable the CROUT instruction.
Modify the reset code as shown below.
Calculation of the Performance LevelWhen configured correctly, the safety system can achieve a safety rating of PLd, Cat. 3 according to EN ISO 13849.1 2008.
The Functional Safety Specifications of the project call for a Performance Level on PLd (minimum)and a structure of Cat 3 (minimum). A PFHd of less than 1.0 E-06 for the overall safety function is required for PLd.
When modeled in SISTEMA, each safety E-stop string is treated as an individual safety function and can be modeled as follows. This diagram shows a single E-stop safety function.
17
Calculations are based on 1 operation of the E-stop per month, with 12 operations per year; therefore 36 operations of contactors per year.
The Diagnostic Coverage (Dcavg) is reduced to 60% for the E-stops because they are connected in series.
The measures against Common Cause Failure (CCF) are quantified using the scoring process outlined in Annex F of ISO 13849-1. For the purposes of the PL calculation, the required score of 65 needed to fulfill the CCF requirement is considered to be met. The complete CCF scoring process must be done when implementing this example.
18
Verification and Validation PlanVerification and Validation play an important role in the avoidance of faults throughout the safety system design and development process. ISO/EN 13849-2 sets the requirements for verification and validation. It calls for a documented plan to confirm all the Safety Functional Requirements have been met.
Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system is calculated to confirm it meets the Required Performance Level (PLr) specified. The SISTEMA software tool is typically utilized to perform the calculations and assist with satisfying the requirements of ISO 13849-1.
Validation is a functional test of the safety control system to demonstrate that it meets the specified requirements of the safety function. The safety control system is tested to confirm all of the safety related outputs respond appropriately to their corresponding safety related inputs. The functional test should include normal operating conditions in addition to potential fault inject of failure modes. A checklist is typically used to document the validation of the safety control system.
Validation of software development is a process in which similar methodologies and techniques that are used in hardware development are deployed. Faults created through poor software development process and procedure are systemic in nature rather than faults associated with hardware which are considered as random.
Prior to validating the GuardLogix Safety System, it is necessary to confirm the safety system and safety application program have been designed in accordance with the GuardLogix System Safety Reference Manual (1756-RM093) and the GuardLogix Application Instruction Safety Reference Manual (1756-RM095).
GuardLogix Emergenc y Stop Func tion Verification and Validation Checklist
General Machinery Information
Machine Name / Model NumberMachine Serial NumberCustomer NameTest DateTester Name(s)Schematic Drawing NumberController NameSafety Signature IDSafety Network Number(s)RSLogix5000 Software Version
Safety Control System Modules GuardLogix Modules Firmware Version
GuardLogix Safety Controller 1768-L43SCompactLogix Ethernet Bridge 1768-ENBTPOINT I/O Ethernet Adapter 1734-AENTPOINT I/O Input Modules 1734-IB8SPOINT I/O Output Modules 1734-OB8S
GuardLogix Safety System Conf iguration and Wiring Verif ication
Test Step Verif ication Pass/Fail Changes/Modif ications
1 Verify the safety system has been designed in accordance with the GuardLogix System Safety Reference Manual 1756-RM093.
2 Verify the safety application program has been designed in accordance with the GuardLogix Application Instruction Safety Reference Manual 1756-RM095.
3 Visually inspect the safety system network and I/O is wired as documented in the schematics.
4 Visually inspect the RSLogix 5000 program to verify that the safety system network and I/O module configuration is configured as documented.
5 Visually inspect the RSLogix 5000 application program to verify suitable safety certified instructions are utilized. The logic is readable, understandable and testable with the aid of clear comments.
6 All input devices are qualified by cycling their respective actuators. Monitor the status in the RSLogix 5000 Controller Tags window.
7 All output devices are qualified by cycling their respective actuators. Monitor the status in the RSLogix 5000 Controller Tags window.
Normal Operation Verification - The GuardLogix safety system properly responds to all normal Start, Stop, Enabling and Reset Commands
Test Step Verif ication Pass/Fail Changes/Modif ications
1 Initiate a Start Command. Both contactors should energize for a normal machine run condition. Verify proper machine status indication and RSLogix 5000 safety application program indication.
2 Initiate a Stop Command. Both contactors should de-energize for a normal machine Stop condition. Verify proper machine status indication and RSLogix 5000 safety application program indication.
3While Running, press the E-Stop pushbutton. Both contactors should remain de-energized and open for a normal safe condition. Verify proper machine status indication and RSLogix 5000 safety application program indication. Repeat for all E-Stop pushbuttons.
4While Stopped, press the E-Stop pushbutton and initiate a Start Command. Both contactors should remain de-energized and open for a normal safe condition. Verify proper machine status indication and RSLogix 5000 safety application program indication. Repeat for all E-Stop pushbuttons.
5 Initiate Reset Command. Both contactors should remain de-energized. Verify proper machine status indication and RSLogix 5000 safety application program indication.
19
Abnormal Operation Verification - The GuardLogix safety system properly responds to all foreseeable faults with corresponding diagnostics.E-Stop Input Tests
Test Step Validation Pass/Fail Changes/Modif ications
1While Running, remove the Channel 1 wire from the Safety I/O. Both contactors should de-energize. Verify proper machine status indication and RSLogix 5000 safety application program indication. Restore Channel 1 and repeat for Channel 2.
2While Running, short the Channel 1 of the Safety I/O to +24VDC. Both contactors should de-energize. Verify proper machine status indication and RSLogix 5000 safety application program indication. Verify unable to reset and restart with fault. Restore Channel 1 and repeat for Channel 2.
3While Running, short the Channel 1 of the Safety I/O to (-) 0VDC. Both contactors should de-energize. Verify proper machine status indication and RSLogix 5000 safety application program indication Restore Channel 1 and repeat for Channel 2.
4While Running, short the Channels 1 & 2 of the Safety I/O. Both contactors should de-energize. Verify proper machine status indication and RSLogix 5000 safety application program indication. Restore Channel 1 & 2 wiring.
GuardLogix Controller and Network Tests
Test Step Validation Pass/Fail Changes/Modif ications
1While Running, remove the Ethernet network connection between the Safety I/O and the controller. All contactors should de-energize. Verify proper machine status indication and I/O Connection Status in the RSLogix 5000 safety application program.
2Restore the Safety I/O module network connection and allow time to reestablish communication. Verify the Connection Status Bit in the RSLogix 5000 safety application program. Repeat for all Safety I/O connections.
3While Running, switch the controller out of Run Mode. All contactors should de-energize. Return key switch back to Run Mode, all contactors should remain de-energized. Verify proper machine status indication and RSLogix 5000 safety application program indication.
Safety Contactor Output Tests
Test Step Validation Pass/Fail Changes/Modif ications
1 Initiate a Start Command. Both contactors should energize for a normal machine run condition. Verify proper machine status indication and RSLogix 5000 safety application program indication.
2While Running, remove the contactor feedback from the Safety I/O. All contactors should remain energized. Initiate a Stop command and attempt a Reset command. The system should not Restart or Reset. Verify proper machine status indication and RSLogix 5000 safety application program indication.
3While Running, short the contactor feedback to the Safety I/O. All contactors should remain energized. Initiate a Stop command and attempt a Reset command. The system should not Restart or Reset. Verify proper machine status indication and RSLogix 5000 safety application program indication.
20
21
Rockwell Automation, Allen-Bradley, GuardLogix, RSLogix 5000, CompactLogix, Stratix 2000, and POINT Guard I/O are trademarks of Rockwell Automation, Inc.Trademarks not belonging to Rockwell Automation are property of their respective companies.
For More Information on Safety Function Capabilities, visit:discover.rockwellautomation.com/safety
Additional ResourcesFor more information about the products used in this example refer to these resources.
You can view or download publications at http://www.rockwellautomation.com/literature. To order paper copies of technical documentation, contact your local Allen-Bradley® distributor or Rockwell Automation sales representative.
Resource Description
Compact GuardLogix Controllers User Manual, Publication 1768-UM002
Provides information on configuring, operating, and maintaining Compact GuardLogix controllers.
POINT Guard I/O Safety Modules Installation and User Manual, Publication 1734-UM013
Provides information on installing, configuring, and operating POINT Guard I/O Modules.
GuardLogix Controller Systems Safety Reference Manual, Publication 1756-RM093
Contains detailed requirements for achieving and maintaining safety ratings with the GuardLogix controller system.
GuardLogix Safety Application Instruction Set Reference Manual, Publication 1756-RM095
Provides detailed information on the GuardLogix Safety Application Instruction Set.
Safety Accelerator Toolkit for GuardLogix Systems Quick Start Guide, Publication IASIMP-QS005
Provides a step-by-step guide to using the design, programming, and diagnostic tools in the Safety Accelerator Toolkit.
Safety Products Catalog
Publication SAFETY-AT080B-EN-E – January 2013 Copyright ©2013 Rockwell Automation, Inc. All Rights Reserved.Supersedes Publication SAFETY-AT080A-EN-E – October 2012